/**
 * XSS防护配置
 * 配置XSS防护的各种参数和规则
 */

export interface XssConfig {
  // 允许的HTML标签
  allowedTags: string[]
  // 允许的HTML属性
  allowedAttributes: string[]
  // 允许的URL协议
  allowedProtocols: string[]
  // 是否允许数据属性
  allowDataAttributes: boolean
  // 最大内容长度
  maxLength: number
  // 是否启用严格的URL验证
  strictUrlValidation: boolean
  // 自定义清理规则
  customRules?: Array<{
    pattern: RegExp
    replacement: string
  }>
}

// 默认XSS防护配置
export const defaultXssConfig: XssConfig = {
  allowedTags: [
    'p', 'br', 'div', 'span', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
    'strong', 'b', 'em', 'i', 'u', 'strike', 'del', 'ins',
    'ul', 'ol', 'li', 'blockquote', 'pre', 'code',
    'a', 'img', 'table', 'thead', 'tbody', 'tr', 'td', 'th'
  ],
  allowedAttributes: [
    'href', 'title', 'alt', 'src', 'width', 'height', 'class',
    'colspan', 'rowspan', 'cellpadding', 'cellspacing', 'border'
  ],
  allowedProtocols: ['http:', 'https:', 'mailto:'],
  allowDataAttributes: false,
  maxLength: 10000,
  strictUrlValidation: true
}

// 富文本编辑器配置（更宽松）
export const richTextXssConfig: XssConfig = {
  ...defaultXssConfig,
  allowedTags: [
    ...defaultXssConfig.allowedTags,
    'font', 'center', 'sup', 'sub', 'small', 'big',
    'hr', 'address', 'caption', 'colgroup', 'col'
  ],
  allowedAttributes: [
    ...defaultXssConfig.allowedAttributes,
    'style', 'align', 'valign', 'bgcolor', 'color', 'size', 'face'
  ]
}

// 纯文本配置（最严格）
export const textOnlyXssConfig: XssConfig = {
  allowedTags: [],
  allowedAttributes: [],
  allowedProtocols: [],
  allowDataAttributes: false,
  maxLength: 5000,
  strictUrlValidation: true
}

// 评论配置（中等严格）
export const commentXssConfig: XssConfig = {
  allowedTags: ['p', 'br', 'strong', 'em', 'b', 'i', 'u', 'ul', 'ol', 'li', 'blockquote'],
  allowedAttributes: [],
  allowedProtocols: ['http:', 'https:'],
  allowDataAttributes: false,
  maxLength: 2000,
  strictUrlValidation: true
}

// XSS关键字黑名单
export const xssBlacklist = [
  'javascript:', 'vbscript:', 'livescript:', 'mocha:', 'data:',
  'onabort', 'onactivate', 'onafterprint', 'onafterupdate',
  'onbeforeactivate', 'onbeforecopy', 'onbeforecut',
  'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste',
  'onbeforeprint', 'onbeforeunload', 'onbeforeupdate',
  'onblur', 'onbounce', 'oncellchange', 'onchange',
  'onclick', 'oncontextmenu', 'oncontrolselect',
  'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged',
  'ondatasetcomplete', 'ondblclick', 'ondeactivate',
  'ondrag', 'ondragend', 'ondragenter', 'ondragleave',
  'ondragover', 'ondragstart', 'ondrop', 'onerror',
  'onerrorupdate', 'onfilterchange', 'onfinish',
  'onfocus', 'onfocusin', 'onfocusout', 'onhelp',
  'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete',
  'onload', 'onlosecapture', 'onmousedown', 'onmouseenter',
  'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover',
  'onmouseup', 'onmousewheel', 'onmove', 'onmoveend',
  'onmovestart', 'onpaste', 'onpropertychange',
  'onreadystatechange', 'onreset', 'onresize', 'onresizeend',
  'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete',
  'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange',
  'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'
]

// 危险的HTML标签
export const dangerousTags = [
  'script', 'iframe', 'object', 'embed', 'form', 'input',
  'textarea', 'button', 'select', 'option', 'optgroup',
  'fieldset', 'legend', 'label', 'datalist', 'keygen',
  'output', 'progress', 'meter', 'details', 'summary',
  'command', 'menu', 'dialog', 'template', 'canvas',
  'svg', 'math', 'audio', 'video', 'source', 'track'
]

// 危险的CSS属性
export const dangerousCssProperties = [
  'expression', 'behavior', 'binding', 'filter',
  '-moz-binding', '-webkit-binding', '-ms-binding'
]

// 获取指定场景的XSS配置
export function getXssConfig(scene: 'default' | 'rich' | 'text' | 'comment'): XssConfig {
  switch (scene) {
    case 'rich':
      return richTextXssConfig
    case 'text':
      return textOnlyXssConfig
    case 'comment':
      return commentXssConfig
    case 'default':
    default:
      return defaultXssConfig
  }
}

export default {
  defaultXssConfig,
  richTextXssConfig,
  textOnlyXssConfig,
  commentXssConfig,
  xssBlacklist,
  dangerousTags,
  dangerousCssProperties,
  getXssConfig
}